1 00:00:00,390 --> 00:00:06,870 OK, so the next thing I know we can try is actually SMTP, enumeration, SMPTE, S.P.C.A., a simple 2 00:00:06,870 --> 00:00:11,340 mail transfer protocol and everyone's eleven point twenty five is pretty much poor. 3 00:00:11,340 --> 00:00:14,690 If you remember from the networking section, it's for sending email. 4 00:00:14,850 --> 00:00:20,280 We can potentially gather information, you know, if that port is actually open so we can connect to 5 00:00:20,280 --> 00:00:25,890 it like with Incat and then actually send it out commands to see if, like, you know, a specific user 6 00:00:25,890 --> 00:00:26,550 exists or not. 7 00:00:26,580 --> 00:00:27,900 So let's go ahead and try that out. 8 00:00:27,990 --> 00:00:29,580 So we're back on a colonics machine. 9 00:00:29,580 --> 00:00:34,500 So let's go ahead and actually try this SBB enumeration manually. 10 00:00:34,510 --> 00:00:40,830 So let's try so ank and then we're going to do a Dash N.V. and then we're going to do our address one 11 00:00:40,830 --> 00:00:43,590 or two to one six eight five six one want four. 12 00:00:43,740 --> 00:00:48,710 That is the address for a disposable machine and let's just put it twenty five and then we can hit enter. 13 00:00:48,720 --> 00:00:55,050 So we see that we're connected over SMTP, which is twenty five as we know, because it is an open port. 14 00:00:55,260 --> 00:01:01,670 So what we can do is to verify some commands that we are Afgooye and then something like Rup. 15 00:01:01,680 --> 00:01:07,740 If you see something like this come up, then we know that you know that this user is actually there. 16 00:01:07,740 --> 00:01:15,690 But if we try something else like we are Afgooye, I don't know, I don't live here. 17 00:01:16,380 --> 00:01:21,630 You know, I was going to say, hey, user is unknown, but this is a good way that you can actually 18 00:01:21,630 --> 00:01:25,920 numerary users on a system outside of doing this manually. 19 00:01:25,920 --> 00:01:28,710 One way that we can do it is we can use a script. 20 00:01:28,710 --> 00:01:30,570 So remember, I talked to you guys about scripting. 21 00:01:30,600 --> 00:01:35,460 This is where it can kind of come in handy, use your brain to kind of like actually find ways to automate 22 00:01:35,460 --> 00:01:35,760 things. 23 00:01:35,910 --> 00:01:37,440 So I have a script. 24 00:01:37,440 --> 00:01:40,350 It's called SMTP API. 25 00:01:40,680 --> 00:01:43,440 So it actually goes through and does this process for us. 26 00:01:43,590 --> 00:01:46,980 As you know, we start with this command for our Python scripts. 27 00:01:47,430 --> 00:01:49,890 We import Soki and policies. 28 00:01:50,100 --> 00:01:54,990 And then this is like, you know, if we do it wrong, like if we don't have the right number of arguments 29 00:01:54,990 --> 00:01:57,000 are going to tell you how to actually use it correctly. 30 00:01:57,120 --> 00:02:03,860 So to use it, as you can see, is Essence PWI and then followed by spacing and a username. 31 00:02:03,900 --> 00:02:07,440 This is Connect to the socket, you know, point twenty five on the machine. 32 00:02:07,560 --> 00:02:08,560 So you have to go in. 33 00:02:08,580 --> 00:02:10,800 You can also make that a variable too, if you wanted to. 34 00:02:10,980 --> 00:02:13,170 For the purposes of this, we just made it a string. 35 00:02:13,310 --> 00:02:15,300 So, so we know exactly which one I want to go to. 36 00:02:15,480 --> 00:02:20,310 Then it turns out the banner like Winnik, when it connects to it and it sends out the verifier come 37 00:02:20,310 --> 00:02:20,570 in. 38 00:02:20,580 --> 00:02:22,380 You've got to make sure you have the space right here, too. 39 00:02:22,380 --> 00:02:23,190 It's very important. 40 00:02:23,190 --> 00:02:27,230 And then it's going to store the result here and then print it out and then close the connection. 41 00:02:27,450 --> 00:02:29,380 So let's actually go ahead and try this out. 42 00:02:29,400 --> 00:02:35,820 So when you make it, you ought to also have like a siege mod plus X Command and then somebody PWI just 43 00:02:35,820 --> 00:02:36,870 to make it executable. 44 00:02:37,020 --> 00:02:41,830 So you just do that slash TV type while it's true and then bam. 45 00:02:41,850 --> 00:02:47,010 Now we know a way that we can automate this so we don't have to actually go through and connect and 46 00:02:47,010 --> 00:02:48,210 type in the command. 47 00:02:48,390 --> 00:02:51,150 We could just type we just run the script and give you a username. 48 00:02:51,150 --> 00:02:52,800 You can even do like a list of user names. 49 00:02:52,800 --> 00:02:56,820 If you wanted to see you feel free to trick that script, you know, for your own usage. 50 00:02:57,060 --> 00:03:00,290 OK, so another tool is the Nessa's vulnerability scanner. 51 00:03:00,630 --> 00:03:03,080 Now it's a vulnerability scanner. 52 00:03:03,090 --> 00:03:04,140 It looks for vulnerabilities. 53 00:03:04,350 --> 00:03:09,480 You allows you to scan the entire network and discover what vulnerabilities actually exist on each computer 54 00:03:09,480 --> 00:03:09,840 on it. 55 00:03:09,990 --> 00:03:16,080 So this is a paid tool, but they have a free version that actually limits the number of IPS that you 56 00:03:16,080 --> 00:03:16,830 can scan. 57 00:03:16,980 --> 00:03:22,800 But you can still go ahead and grab that and use that for, like, you know, practicing some scanning 58 00:03:22,800 --> 00:03:24,520 in your own lab at home. 59 00:03:24,660 --> 00:03:26,160 Another vulnerability scanner. 60 00:03:26,160 --> 00:03:31,080 If you don't want to pay for Nessus and you want something fully functional and free, open voice is 61 00:03:31,080 --> 00:03:31,770 a good option. 62 00:03:31,770 --> 00:03:33,330 It's open source vulnerability scanner. 63 00:03:33,330 --> 00:03:34,410 It's free to the public. 64 00:03:34,410 --> 00:03:38,310 It's not as robust and it won't catch as much as Nessus would. 65 00:03:39,120 --> 00:03:45,240 But it can be a solid vulnerability scanner if you set it up right and use it correctly. 66 00:03:45,390 --> 00:03:50,310 Now, I will reiterate, it is very painful to keep that thing updated and actually functioning. 67 00:03:50,310 --> 00:03:56,430 And the user interface is not intuitive at all, but it's still a vulnerability scanner, I think that 68 00:03:56,430 --> 00:04:01,410 is said to have about maybe like half or like a third of the vulnerabilities that Nessa's covers. 69 00:04:01,650 --> 00:04:04,940 But it's still free and so that you could use on your own. 70 00:04:05,190 --> 00:04:11,280 OK, so a lot of passive and active reconnaissance tools that we can actually use to gather information 71 00:04:11,280 --> 00:04:15,150 about, you know, systems on a network or just a network from the outside. 72 00:04:15,150 --> 00:04:16,010 So what's next? 73 00:04:16,020 --> 00:04:19,530 So now that we know how to do that, we're going to start launching some attacks. 74 00:04:19,530 --> 00:04:25,740 You know, kind of like one attack so far, but we can start launching attacks against these discover 75 00:04:25,740 --> 00:04:26,490 vulnerabilities. 76 00:04:26,760 --> 00:04:30,540 So I appreciate you listening in as far and I see you guys in the next section.